- From: Rob Sayre <sayrer@gmail.com>
- Date: Sat, 21 Sep 2019 13:29:06 -0700
- To: Alexander Neilson <alexander@neilson.net.nz>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Saturday, 21 September 2019 20:29:40 UTC
On Fri, Sep 20, 2019 at 10:04 PM Alexander Neilson <alexander@neilson.net.nz> wrote: > Going a little back to your original proposal (as clarified) do I > understand correctly that you are suggesting that a specification be > created stating that (in the first stage) any Domain of <name>.<TLD> served > over HTTP is regarded as the equivalent of a certificate failure and should > come with the full scale “this website may be trying to steal your > information ...” style blocking page requiring a click onto “advanced” mode > and bypassing or white listing? > Off-list, someone pointed out that this is pretty similar to the already-proposed "Encrypt All Sites Eligible (EASE) Mode" https://www.eff.org/deeplinks/2018/12/how-https-everywhere-keeps-protecting-users-increasingly-encrypted-web It seems like some of the bigger sites that aren't on https://hstspreload.org are probably having trouble with its "includeSubDomains" requirement. I'd propose letting any site in the Alexa Top 1000 (or some other traffic measurement) opt in without that requirement. They can then add subdomains where it makes sense. Example: https://hstspreload.org/?domain=mail.google.com. It also seems like hstspreload.org should be part of OS networking stacks, especially on mobile phones. I don't know whether any vendor has done this. thanks, Rob
Received on Saturday, 21 September 2019 20:29:40 UTC